CVE-2026-45580
Analyzed Analyzed - Analysis Complete
Stored XSS in WWBN AVideo Live Plugin

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream's live page executes attacker JavaScript in the platform origin.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45580
EUVD
EUVD-2026-33311
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-45580 is a stored cross-site scripting (XSS) vulnerability in the WWBN AVideo platform, specifically in the Live plugin's "YouTube-style" view.

The vulnerability occurs because the live transmission's stream key is rendered directly into an HTML class attribute without proper escaping using htmlspecialchars().

An attacker with canStream privileges can submit a crafted stream key containing malicious JavaScript event handlers via the saveLive.php endpoint.

When any visitor, logged in or anonymous, opens the attacker's live page, the injected JavaScript executes in the context of the AVideo platform, potentially allowing the attacker to steal session cookies or perform other malicious actions.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript code in the browsers of visitors to the affected live stream page.

Potential impacts include theft of session cookies, which could lead to account takeover, unauthorized actions performed on behalf of the victim, and other malicious activities within the AVideo platform origin.

Since the vulnerability affects both logged-in and anonymous users, it can compromise user data and platform integrity.

Detection Guidance

This vulnerability can be detected by inspecting the Live plugin's "YouTube-style" view pages for unescaped stream keys that are rendered directly into HTML class attributes. Specifically, look for stream keys containing suspicious characters or event handlers such as 'onmouseover' that could indicate an attempted cross-site scripting (XSS) attack.

To detect exploitation attempts or presence of malicious stream keys, you can search the database or logs for stream keys containing suspicious patterns or event handlers.

  • Use SQL queries to find stream keys with suspicious characters, for example: SELECT * FROM live_transmitions WHERE `key` LIKE '%onmouseover%' OR `key` LIKE '%onerror%' OR `key` LIKE '%<script>%';
  • Monitor HTTP requests to plugin/Live/saveLive.php for POST data containing suspicious stream keys.
  • Use web vulnerability scanners or browser developer tools to inspect the HTML source of live stream pages for unescaped stream keys in class attributes.
Mitigation Strategies

The immediate mitigation step is to apply proper escaping of the stream key when rendering it in HTML contexts by using the PHP function htmlspecialchars(). This prevents malicious JavaScript from executing.

Additionally, enforce a character allowlist on the live_transmitions.key field at write time to restrict stream keys to safe characters only.

If possible, update the AVideo platform to a version later than 29.0 where this vulnerability is fixed.

Monitor and audit existing stream keys for suspicious content and remove or sanitize any malicious entries.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45580. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart